Every employee you currently have will leave the organization. They may leave for other opportunities, retire, or be restructured. From a risk and security viewpoint, that process needs to be managed carefully. Why? Poor employee offboarding puts the company and individual at risk.
How Poor Employee Offboarding Hurts Companies
Mismanaging how employees leave your company has multiple consequences. Recent industry research found that “20 percent of respondents believe the failure to deprovision employees has contributed to a data breach at their organization.” Departing employees may take copies of critical files — like customer lists — to assist a competitor. The economic impact of fraud and data loss is just one side of the coin.
When an employee departs an organization, it is usually an emotional experience. Few managers look forward to delivering a layoff message to an employee. On the other hand, if an employee leaves for a good reason for retirement, it is easy to forget administrative requirements during the celebrations. How can you handle these feelings and get your work done?
Start by acknowledging the feelings that come with changes. In the case of layoffs, use UC Davis’s HR advice. such as “Avoid isolation and lack of communication with others. Peer support is beneficial in times like these.” From an HR perspective, use standardized processes and tools to manage the process. The whole process is easier when you have a clear playbook to follow.
How HR Improves Employee Offboarding
Here are five methods and resources you can use to improve employee offboarding regarding access governance. Make sure you seek feedback from managers as you develop these tools.
1) Maintain Up-to-Date User Access Files
If you do not know what access a user has, how can you accurately offboard them? Either you will miss something, or you will have an exhausting process to identify all of their user accounts. Instead, take a proactive approach to maintaining accurate user access files.
If you have limited resources, ask each people manager to create a user access spreadsheet listing the access rights and privileges held by their people. If you find that process too difficult to manage, we recommend using Compliance Auditor. Ask your managers to confirm they have up-to-date information annually or every six months.
2) Provide an Employee Offboarding Checklist
Checklists are one of the most powerful tools on the market to reduce mistakes. For employee offboarding, make sure your checklist is simple. At a minimum, we suggest covering the following points:
- Physical Security Assets. Confirm that all physical security items (e.g., keys, key cards, security tokens) are returned and logged. If some items cannot be reused — photo ID cards — make sure they are destroyed.
- Company Assets. If employees are issued laptops, smartphones, and other materials, make sure everything is returned and accounted for.
- User Accounts. Either using a manual approach or access governance tool, turn off all of the user’s accounts.
- Schedule transition meetings. We recommend setting up meetings to discuss how the workload will be managed after an employee departs. You may need to set up a short-term plan to cover the work while you hire a replacement.
Resource: To aid you in developing an offboarding checklist, take a look at the following offboarding document from the University of Houston.
3) Plan the Offboarding Schedule With Care
With the above strategies in place, make sure you develop a thoughtful offboarding schedule. This schedule will include the following components:
- Pre-Departure. Identify the employees who will be departing. This step may be done in the two week notice period. If you have a strong relationship with the employee, you may ask for their input in planning the transition (e.g., identifying in progress projects).
- Offboarding Day. Plan which activities will happen and where. We recommend covering access, security cards, and related activities early in the day.
- Offboarding Review. After offboarding is complete, periodically ask a third party — like your internal auditors — to review the process. This is one of the best ways to detect blind spots in your offboarding activities.
4) Reduce User Access in the First Place
It is easier to turn off a departing employee’s access if you have a short list to work through. Start with the principle that user access is granted on a need-to-use basis. If an employee no longer needs access to a certain system, it ought to be removed. Use the following tips to keep your user access up to date:
- Internal job changes. If an employee joins your department, review their access privileges and see what is appropriate to remove.
- Reduce Access. If employees only require reports from a system, investigate whether their access can be changed to “read only” instead of full access.
- Investigate Single Sign-On Software. Using single sign-on software reduces the administrative burden of monitoring access. Read 5 reasons to get started with SSO software.
The final way to improve offboarding lies in adopting a continuous improvement philosophy.
5) Pursue Continuous Improvement in Your Offboarding Process
Manufacturing companies were the first to promote continuous improvement as a way to improve productivity. Apply the same philosophy to your human resources offboarding. Focus your attention on these areas to get started.
- Systems and automation. What systems can HR adopt or encourage to systematize access governance activities?
- Surveys. To gather new ideas, send an annual survey to your managers to ask for their feedback. We suggest focusing on access governance, security, and the tools HR provides.
Once you have improved your employee offboarding process, there are other ways to improve cybersecurity.
Next Steps for Managing Security Risk
Your company may have limited employee turnover. In that situation, employee offboarding processes will not come into effect frequently. To improve security, you will need to upgrade other aspects of your cybersecurity practices. Your options include seeking a third-party assessment of your security, improving IT security training, and implementing single sign-on software.
